DazzleSpy is the latest Mac malware to make headlines. Intriguingly, it has the hallmarks of a state-sponsored, cyber-espionage campaign.
Intego detects this malware’s various components as OSX/DazzleSpy, OSX/CDDS, OSX/Exploit.Agent.C, and JS/Exploit.Agent.NQK.
Let’s examine this threat and what makes it unique and interesting.
In this article:
In November 2021, teams from Google and ESET were independently researching a Mac malware campaign. The campaign leveraged what’s known as a watering hole attack—where a group of people with a common interest is specifically targeted for infection. In this case, evidently the targeted class was people advocating for democracy in Hong Kong.
Erye Hernandez from Google’s Threat Analysis Group (TAG) first published about the campaign on November 11. Hernandez noted that the watering hole campaign leveraged a vulnerability (CVE-2021-30869) that did not affect the then-current version of macOS Big Sur, but was exploitable on macOS Catalina.
Apple later released a patch for Catalina, as well as for iOS 12.5.5, on September 23 (as Intego noted here). On the same day, Apple updated its security release notes for macOS Big Sur 11.2—which had been released way back on February 1—to acknowledge that the update had fixed the vulnerability nearly eight months earlier.
It’s quite interesting that Apple secretively patched a vulnerability in February for the then-latest macOS version, neglecting to patch it for other operating systems that were ostensibly still supported at the time—and only admitting to it, and patching other affected operating systems, when the vulnerability was caught being used in the wild. As we’ve said before, Apple’s poor patching policies potentially make users’ security and privacy precarious. It’s safest to stay up to date with the very latest version of Apple’s operating systems; older versions may get some, but not all, important security fixes.
Apple’s Poor Patching Policies Potentially Make Users’ Security and Privacy Precarious
Hernandez stated that Google believed “this threat actor to be a well-resourced group, likely state backed, with access to their own software engineering team based on the quality of the payload code.” Google called the payload’s malware family “MACMA,” which Patrick Wardle nicknamed “CDDS” based on its repeated code strings.
This week, ESET researchers Marc-Etienne M.Léveillé and Anton Cherepanov published findings from their own independent research of the same watering hole attack campaign. Although their analysis led to a different payload from the one observed by Google, they came to similar conclusions about the threat actor: “Given the complexity of the exploits used in this campaign, we [assess] that the group behind this operation has strong technical capabilities.” The researchers noted that the threat actor had non-public knowledge about a particular WebKit vulnerability, and used a clever method to force end-to-end encryption between infected Macs and the command-and-control (C&C) server.
ESET determined that it had received a different malware payload from the one Google had received, and dubbed the malware family “DazzleSpy.”
DazzleSpy appears to have a wide variety of capabilities, mostly focused on spying on the user and stealing sensitive information. Among other things, DazzleSpy can:
Another Mac malware threat distributed through the same sites and methods, dubbed Macma or CDDS, became widely known after Google published its report in November. This malware has several of the same capabilities as DazzleSpy. Google’s assessment of Macma malware did not specify whether it could potentially export keychain passwords; however, Google did say that Macma can record audio and log keystrokes.
Unfortunately, the threat mitigation features that Apple has built into macOS—such as notarization, Gatekeeper, XProtect, and MRT—do not block many types of threats. Thus, Apple’s own macOS protection methods are insufficient by themselves.
Related: Do Macs need antivirus software?
If you believe your Mac may have been infected, or to prevent future infections, it’s best to use antivirus software from a trusted Mac developer that includes real-time scanning, such as Intego VirusBarrier X9—which also protects Macs from M1-native malware, cross-platform malware, and more. Intego recently earned a 100% detection rating for Mac malware in two independent tests conducted by AV-Comparatives and AV-TEST.
And if you’re a Windows user, Intego Antivirus for Windows can protect your PC, too.
Note: Intego customers running VirusBarrier X8, X7, or X6 on older versions of Mac OS X are also protected from these threats. It is best to upgrade to the latest versions of VirusBarrier and macOS, if possible, to ensure your Mac gets all the latest security updates from Apple.
Both amnestyhk[.]org and fightforhk[.]com appear to have been registered by a threat actor for the specific purpose of targeting supporters of Hong Kong democracy.
But even more specifically, given the exploits and malware used in these campaigns, it seems that the threat actor was specifically targeting Mac users for some reason—and perhaps even users of macOS Catalina (or older) on Intel-based Macs.
Given this very precise degree of targeting, it’s possible that one particular person, or a small group of people, may have been the primary target.
Two other domains used in these campaigns, apple-webservice[.]com and appleid-server[.]com, are clearly intended to look like Apple domains at a glance, or to a novice. However, Apple doesn’t own either domain. Both were registered with GoDaddy in August 2021, and the registration information for both domains was last updated on November 11—the same day that Google’s blog post exposed them. There are indications that at least one of the domains may have been reused for other malicious campaigns on or after that date (see Vulners and Hybrid Analysis reports).
It seems clear that whoever distributed DazzleSpy was not in favor of Hong Kong democracy, given that the malware was distributed through sites that claimed to be pro-democracy in Hong Kong.
Interestingly, we may know the name of one of the developers of the malware. Several text strings embedded in DazzleSpy’s code seem to reveal the username on the developer’s Mac as “wangping”:
/Users/wangping/pangu/create_source/poke/osxrk_commandLine/
Of course, it’s entirely possible that this is a false flag. Given the sophistication of other aspects of the malware campaign, it seems sloppy for the developer to reveal their name in this way.
On the other hand, such a goof isn’t unprecedented; see Intego’s white paper on Mac malware attribution (PDF).
The following SHA-256 hashes belong to known files associated with DazzleSpy, CDDS/Macma, and related malware campaigns:
Mach-O binary files: 341bc86bc9b76ac69dca0a48a328fd37d74c96c2e37210304cfa66ccdbe72b27 4c67717fdf1ba588c8be62b6137c92d344a7d4f46b24fa525e5eaa3de330b16c 570cd76bf49cf52e0cb347a68bdcf0590b2eaece134e1b1eba7e8d66261bdbe6 623f99cbe20af8b79cbfea7f485d47d3462d927153d24cac4745d7043c15619a 8fae0d5860aa44b5c7260ef7a0b277bcddae8c02cea7d3a9c19f1a40388c223f 9b71fad3280cf36501fe110e022845b29c1fb1343d5250769eada7c36bc45f70 a63466d09c3a6a2596a98de36083b6d268f393a27f7b781e52eeb98ae055af97 bbbfe62cf15006014e356885fbc7447e3fd37c3743e0522b1f8320ad5c3791c9 cf5edcff4053e29cb236d3ed1fe06ca93ae6f64f26e25117d68ee130b9bc60c8 d599d7814adbab0f1442f5a10074e00f3a776ce183ea924abcd6154f0d068bb4 df5b588f555cccdf4bbf695158b10b5d3a5f463da7e36d26bdf8b7ba0f8ed144 f9ad42a9bd9ade188e997845cae1b0587bf496a35c3bffacd20fefe07860a348 JavaScript files: 7965c61a4581f4b2f199595a6b3f0a416fe49bd8eaac0538e37e050d893f9e3c 9d9695f5bb10a11056bf143ab79b496b1a138fbeb56db30f14636eed62e766f8 bc6e488e297241864417ada3c2ab9e21539161b03391fc567b3f1e47eb5cfef9 cbbfd767774de9fecc4f8d2bdc4c23595c804113a3f6246ec4dfe2b47cb4d34c Bash shell script file: f31e42c04f0cb27fddb968a59088c4f1f099ca499baf3b1f045d7639f72a8b62 Disk image file: f0b12413c9d291e3b9edd1ed1496af7712184a63c066e1d5b2bb528376d66ebc Probable sample of an encrypted server.enc file: 3d20386ce4ab7094314afd30bc12a623369cf93df84c90238251220844074834* Related Android ELF malware files: 5d2a59720f23838eb72a6fb2003edea71551e5b02eac8b68be7bc02b67a5c5e8 5fff034e2a96d6b868957a1b43042d62107b253d64ac8daca8c1530e59e3df97 *first reported by Intego
The following files and folders may potentially be found on an infected Mac:
~/.local/security.zip ~/.local/security/keystealDaemon ~/.local/security/libkeystealClient.dylib ~/.local/softwareupdate ~/Library/LaunchAgents/com.apple.softwareupdate.plist ~/Library/LaunchAgents/com.UserAgent.va.plist ~/Library/Preferences/lib/UserAgent ~/Library/Preferences/Tools/ ~/Library/Preferences/Tools/arch ~/Library/Preferences/Tools/at ~/Library/Preferences/Tools/kAgent ~/Library/Preferences/UserAgent/lib/Data/ ~/Library/Preferences/UserAgent/lib/UserAgent ~/Library/Safari/Safari.app/Contents/MacOS/UpdateHelper
Note that ~
denotes the user’s home folder, e.g. /Users/username
.
It’s also important to note that the ~/.local
folder mentioned above is typically invisible. By default, macOS hides folders and files with names that begin with a period character. You can reveal hidden files and folders by pressing ⌘⇧. (Command-Shift-period) in the Finder. However, be aware that most hidden items are not malicious, so avoid deleting or moving hidden items to the Trash unless you are certain that they are harmful.
The following IP addresses, domains, and URLs have been observed to have ties with this malware or related campaigns. Network administrators can check logs to try to identify whether any computers on their network may have attempted to contact one of these IPs or domains between August and November 2021, or possibly afterward.
88.218.192[.]128:5633 103.255.44[.]56:8371 103.255.44[.]56:8372 123.1.170[.]152 207.148.102[.]208 amnestyhk[.]org apple-webservice[.]com appleid-server[.]com fightforhk[.]com http://103.255.44[.]56:8371/00AnW8Lt0NEM.html http://103.255.44[.]56:8371/iWBveXrdvQYQ?rid=* http://103.255.44[.]56:8371/pld?rid=* http://103.255.44[.]56:8371/SxYm5vpo2mGJ?rid=* http://103.255.44[.]56:8372/6nE5dJzUM2wV.html https://amnestyhk[.]org/ss/4ba29d5b72266b28.html https://amnestyhk[.]org/ss/defaultaa.html https://amnestyhk[.]org/ss/mac.js https://amnestyhk[.]org/ss/server.enc https://appleid-server[.]com/EvgSOu39KPfT.html https://appleid-server[.]com/server.enc https://www.apple-webservice[.]com/7pvWM74VUSn2.html
Note that *
is used as a wildcard character above.
Although the following URL is not malicious, it was compromised (hacked) during a portion of the timeframe mentioned above. Therefore, computers that visited this site around that time may potentially have become infected:
https://bc.d100[.]net/Product/Subscription [no longer infected]
Other vendors’ names for threat components from this malware campaign may include variations of the following:
Adware/Macma!OSX, Artemis!Trojan, ASP.Webshell, Backdoor:MacOS/Macma.A!MTB, Backdoor:MacOS/Macma.B!MTB, Backdoor:MacOS/Macma.C!MTB, Backdoor:MacOS/Vigorf.A, Backdoor/JS.Macma, Backdoor/OSX.Macma.1194193, Backdoor/OSX.Macma.2575107, BV:Macma-A [Trj], DazleSpy, Dropper.Agent/Android!8.37E (CLOUD), E32/DroidRooter.A, Elf.Trojan.A3445236, Exploit.Agent!8.1B, Exploit.Generic-JS.Save.a46a1bf8, Exploit/JS.Generic, HEUR:Backdoor.OSX.Macma.a, HEUR:Exploit.Script.Generic, HEUR:Trojan-Dropper.AndroidOS.Agent.sk, HEUR:Trojan-Spy.OSX.Macma.a, HEUR:Trojan.OSX.Agent.gen, HEUR:Trojan.OSX.Agentb.gen, JS:Exploit-AH [Expl], JS.Exploit.ShellCode.c, JS/Exploit.Agent.NQK, LINUX/Agent.aj, Mac.BackDoor.Macma, Mac.Trojan-spy.Macma.Pepy, MacOS:Macma-A [Trj], MacOS:Macma-B [Trj], MacOS:Macma-C [Trj], MacOS:Macma-D [Trj], MacOS:Macma-E [Trj], macOS.Macma, MacOS/Agent.gen, MacOS/Macma.A, Malware.OSX/Macma.lvyms, Malware.OSX/Macma.nxnte, OSX.CDDS, OSX.DazzleSpy, OSX.S.Agent.1194193, OSX.S.Agent.2575107, Osx.Trojan.Agent.Llrp, OSX/Agent.g, OSX/Exploit.Agent.C, OSX/Macma-A, OSX/Macma.A!tr, OSX/Macma.B!tr, OSX/Macma.C!tr, OSX/Macma.D!tr, OSX/Macma.E!tr, OSX/Macma.jhzzd, OSX/Macma.lkoes, OSX/Macma.lvyms, OSX/Macma.lwxgs, OSX/Macma.nxnte, OSX/Macma.qmfus, OSX/Macma.taejb, osxrk, PrivacyRisk.SPR/ANDR.DroidRooter, RDN/Generic.osx, Script.Trojan.45123.GC, Script.Trojan.A3298608, Script.Trojan.A3370311, SPR/ANDR.DroidRooter.H.Gen, TROJ_FRS.0NA103A422, TROJ_FRS.0NA103KF21, TROJ_FRS.0NA103KT21, TROJ_FRS.0NA104KF21, TROJ_FRS.VSNTKG21, TROJ_FRS.VSNTKT21, Troj/JSExp-X, Trojan:MacOS/Macma.B, Trojan:Script/Wacatac.B!ml, Trojan:Win32/Casdet!rfn, Trojan:Win32/Mamson.A!ml, Trojan.AndroidOS.Agent.C!c, Trojan.DroidRooter.Android.11, Trojan.DroidRooter.Android.88, Trojan.JS.DAZZLESPY.A, Trojan.Macma.OSX, Trojan.MacOS.MACMA.A, Trojan.Malscript, Trojan.OSX.Agentb.4!c, Trojan.OSX.Macma, Trojan.OSX.Macma.4!c, Trojan.OSX.Macma.l!c, Trojan.OSX.Macma.m!c, Trojan.Script.Generic.3!c, Trojan.UKP.Linux.4!c, TrojWare.Win32.UMal, VEX.Webshell, VirTool:Win32/Aicat.A!ml
For additional technical details about the DazzleSpy malware, you can read the recent write-ups by Marc-Etienne M.Léveillé and Anton Cherepanov and Patrick Wardle. For more back story and additional insights, you can also read the November 2021 write-ups by Erye Hernandez, Patrick Wardle, and Phil Stokes about the related exploits and CDDS/Macma malware.
We discussed DazzleSpy on episode 224 of the Intego Mac Podcast. Be sure to follow the podcast to make sure you don’t miss any episodes! You’ll also want to subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news.
You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels:
DazzleSpy logo based on public domain dazzle and spy movie silhouette images.